 Dennis says, could someone help me in SharePoint and PowerShell please? We have a group, all employees in SharePoint. The group exists in every SharePoint site. It previously had the permission of contribute. I should change this to read, which worked fine with PowerShell. The background is that form now, and only people should edit files in SharePoint sites who are owner or member. Right. So changing this to read. Okay. Got it. Now is the problem. I didn't know before the difference between member and owner and site member website owner. In our project sites, only member and owner are maintained. Now when I set the all employees group to read, no member can edit files on the SharePoint site anymore. I think I need to change all people who are member to site member, or can I set a permission so that members can edit files? It all has to be done via PowerShell. Does anyone have any idea? Can I just say that Microsoft is thought long and hard about the naming conventions of these different pieces, and how they then go and build their solutions. When you start renaming these pieces, the standard default, not just adding new permission types, new types of users, but modifying the existing ones, you instantly enter the danger zone of future changes, of pushouts and updates from Microsoft. It will cause you nightmares going forward by messing with the out-of-the-box configurations for those things. So very good example of that. I just recently had a client that for some reason in modern created some subsites underneath their intranet and started putting their content. So we had the discussion about they need to be moved up to site collections, all that kind of stuff. They did. However, when they were part of the sub-site structure, they renamed the default groups. Of course they did. So when they migrated the site, the Microsoft 365 groups that are created naturally and everything, they were not able to tie to it. I was able to rename one of them back to the original name and the group associated to it. The owner's one did not work. They literally had to recreate a brand new site and then migrate the content over because one, I couldn't fix the permission level, could not connect it into the group, and two, I had no idea what that was going to cause long-term within that environment. So they had to create a new one, never change the names. My other thing is why the option to create a group called All Employees and SharePoint instead of using all employees except external users that is built in and is more controllable. Why, Dennis? Why? But again, it's one of these things where, well, it's the way that we've done it in the past and we had this and we've used this that Democletures like, yeah, don't do it, learn, adjust to this. Again, going and creating new categories, new types of users within the system and it was specialized permissions. In addition to the out-of-the-box, that's how you can further refine. Don't go and re-architect all of that. Yeah. Not good. I don't think a lot of people understand that Teams is a collaboration tool. Giving someone read access is not collaborative. That's just keeping them up-to-date. They can't be collaborative if they're reading. Which is why Microsoft made the choice. If you need to only read content, that's why it's done at the site level because the site level can be, you can have read there. But they don't also realize as you have read access, if that site is a group site which has Planner and all that kind of stuff, they can't use any of those collaborative tools. They have no access. They will never have access unless they are a member or higher. It's only just a read and they have to do that at the site, not into Teams. Yeah. It seems like they're trying to re-architect behind the scenes instead of setting it up and architecting it using the tools the way that they're made. There's a lot of missing as most questions. There's a lot of missing information in this question too. But where's in a SharePoint? What kind of group? When we're talking about members and owners, are you talking about an M365 group, dynamic or static? Are you a security group? Are you talking about a SharePoint group? Because there's all those different parts and pieces. In the modern architecture, the best way to do this, like Stacy said, is for read, use the everyone but external users group, which would replace your all company or all users group whatever you've got in there, and then simply either use your M365 groups for owners and members and let that go in as the default, or use your SharePoint groups for owners and members, and then just add everyone for read for the site itself. But it sounds like they probably need somebody, and I put this in the notes, maybe hire a professional to come in and do an assessment of your permission structuring, make a recommendation about a re-architect it, and this probably is not best suited for a DIY project. Yeah. I can guarantee with what he's got going on there, people are using sharing links because people can't get to things, so they've already broken the permissions anyway. By using the PowerShell, the PowerShell to change permissions is very, very specific, and if you don't have the correct one, you just broke permissions on things that you really didn't want to break permissions on, so I 100% agree you need to get a permissions matrix report, ran, see what the damage is, and how to resolve the issues. I was going to ask the question for all of the consultants in this meeting. How often do you go in and do this kind of permissions clean up for your clients? Quarterly. We do quarterly maintenance on a number of our clients and run the permission reports. Based off the permission reports, almost quarterly or new clients, we share the fact that people have broken permissions all over using the sharing links and we have disabled it in environments. Ours depends on what the client wants, so we typically do governance with every single client, and some of them want a report annually, some of them want a report every six months, some of them want it quarterly, some of them want it monthly, some of them are overzealous and they go in there like all the time, but it just depends. So typically at the end of the day, this comes back to our governance topic of what risk tolerance do you have and how much time do you have to give to this, but you should have some regular governance meeting on some cadence and one of those steps should be to run a permissions report to understand who's got unique permissions, how many people have unique permissions and external permissions, and then decide how can we get those into groups and get rid of the unique and the externals so that we can start over and keep those at a minimum as much as possible. Yeah, and I would say at a minimum, quarterly, they wanna do it, that's minimum, they wanna do it a year, that's a bit much because within a quarter of time the amount of permissions get screwed up is a lot. Well, I can say from an ISV standpoint, we had so many of our clients that were going and building these kinds of daily, weekly, monthly auditing around permissions across different areas, we built it in standard into our products so the red-core governance did that. So it is, because that's my experience as well from the ISV perspective is that when people are feeling pain and they realize that they have permissions issues that are out there, it might be something that they are looking at daily as they're cleaning up, fixing things and then it gets down to that whatever that governance cadence is. Yeah. So the number one thing I hear when companies go through audits is as soon as a permission situation comes up that permissions is always the top level thing where people have permissions to things they're not supposed to have and content has been shared. So permissions is probably the biggest thing that companies get dinged on all the time and they need to be aware of it and make sure they're staying ahead of it. Because it can be very expensive to fail an audit. It's also so many of the problems that people say I'm having issues, I can't get access or searches that working the way that it all comes down to permissions issues. So it's the first place to go look at this user that's having the issue. Oh, wrong type of license, wrong type of permissions or whatever that is. That's where you start troubleshooting is with permissions.